CVE November 2024 #4933

jaredb96 · 2024-11-29T21:41:36Z

CVE-2023-2976

Resolves CVE-2023-2976 and CVE-2024-21742

jaredb96 · 2024-11-18T21:13:37Z

Remove here since it isn't necessary, the upgrade resolves this cve, although we could use this base image as well: eclipse-temurin:21.0.5_11-jdk-alpine

jaredb96 · 2024-11-18T19:20:17Z

CVE-2024-5535

Resolves CVE-2024-5535, CVE-2024-45492, and CVE-2024-45491 - all critical cves

This actually resolves the majority of the critical / high cves:

CVE-2024-5535 (libcrypto3, libssl3)
CVE-2024-45492, CVE-2024-45491 (libexpat)
CVE-2024-6119 (libcrypto3, libssl3)
CVE-2024-4603 (libcrypto3, libssl3)
CVE-2024-4741, CVE-2024-2511 (libcrypto3, libssl3)

Current cves:

NAME INSTALLED FIXED-IN TYPE VULNERABILITY SEVERITY apache-mime4j-core 0.8.9 0.8.10 java-archive GHSA-jw7r-rxff-gv24 Medium guava 31.0.1-android 32.0.0-android java-archive GHSA-7g45-4rm6-3mm3 Medium guava 31.0.1-android 32.0.0-android java-archive GHSA-5mg8-w23w-74h3 Low keycloak-core 25.0.3 25.0.4 java-archive GHSA-xmmm-jw76-q7vg Medium netty-common 4.1.94.Final 4.1.115 java-archive GHSA-xq3w-v528-46rv High openjdk 21.0.2+13-LTS 1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422 binary CVE-2024-21147 High openjdk 21.0.2+13-LTS 1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432 binary CVE-2024-21235 Medium openjdk 21.0.2+13-LTS 1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422 binary CVE-2024-21145 Medium openjdk 21.0.2+13-LTS 1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422 binary CVE-2024-21140 Medium openjdk 21.0.2+13-LTS 1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432 binary CVE-2024-21217 Low openjdk 21.0.2+13-LTS 1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432 binary CVE-2024-21210 Low openjdk 21.0.2+13-LTS 1.8.0_432, 11.0.25, 17.0.13, 21.0.5, 23.0.1, 8.0.432 binary CVE-2024-21208 Low openjdk 21.0.2+13-LTS 1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422 binary CVE-2024-21138 Low openjdk 21.0.2+13-LTS 1.8.0_422, 11.0.24, 17.0.12, 21.0.4, 22.0.2, 8.0.422 binary CVE-2024-21131 Low openjdk 21.0.2+13-LTS 1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412 binary CVE-2024-21094 Low openjdk 21.0.2+13-LTS 1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412 binary CVE-2024-21068 Low openjdk 21.0.2+13-LTS 11.0.23, 17.0.11, 21.0.3, 22.0.1 binary CVE-2024-21012 Low openjdk 21.0.2+13-LTS 1.8.0_412, 11.0.23, 17.0.11, 21.0.3, 22.0.1, 8.0.412 binary CVE-2024-21011 Low zookeeper 3.8.3 3.8.4 java-archive GHSA-r978-9m6m-6gm6 Medium

Hi @jaredb96 ; would it be worth upgrading the base image at this point? looks like eclipse-temurin:23.0.1_11-jdk-alpine resolves all the critical CVEs (and it also seems to run an "apk update" internally). We could of course try going back a bit farther if we don't want an image pushed yesterday...

-Original file line number
+Diff line change
@@ Expand Up / @@ -67,7 +67,7 @@ lazy val dockerSettings = Seq( @@
       dockerBaseImage := "eclipse-temurin:21.0.2_13-jdk-alpine",
       dockerRepository := Some("hmda"),
       dockerCommands := dockerCommands.value.flatMap {
-        case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk add --no-cache openssl"),
+        case cmd@Cmd("FROM",_) => List(cmd,
           Cmd("RUN", "apk update"),
           Cmd("RUN", "apk upgrade"),
           Cmd("RUN", "rm /var/cache/apk/*"))
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE November 2024 #4933

Diff view

Diff view

There are no files selected for viewing

jaredb96 Nov 29, 2024

jaredb96 Nov 18, 2024

jaredb96 Nov 18, 2024

jaredb96 Nov 18, 2024

tptignor Dec 4, 2024

CVE November 2024 #4933

CVE November 2024 #4933

Diff view

Diff view

There are no files selected for viewing

jaredb96 Nov 29, 2024

Choose a reason for hiding this comment

jaredb96 Nov 18, 2024

Choose a reason for hiding this comment

jaredb96 Nov 18, 2024

Choose a reason for hiding this comment

jaredb96 Nov 18, 2024

Choose a reason for hiding this comment

tptignor Dec 4, 2024

Choose a reason for hiding this comment